Welcome back to your free Active Directory
course. In this video I will look at user and computer accounts in Windows. Accounts
in Windows provide the back bone for security in a Windows environment.
Any account in Windows, whether it's a user or computer account will have a Sid associated
with it. The Sid is a unique number used in security to uniquely identify the account.
Shown here are some examples of some Sid’s. The short Sid’s are local user accounts
and the longer Sid’s are domain Sid’s. A Sid’s is required as it allows Windows
to unique identify a user regardless if the other attributes about the user were to change.
If you take the example of a user account, if the user were to change their last name
Windows could still identify the user account as belong to the same person because the Sid
has not changed. Sid’s are also used for computer accounts
and groups. Sid’s provide the unique value that is used to identify these groups and
computers inside Active Directory and on the local computer. Once again, if you were to
change the name of the group or the computer name, the Sid associated with the group or
computer stays the same. When troubleshooting Windows and Active Directory,
you will see Sid’s appear from time to time so it is good idea to understand why they
are required. If I open RegEdit from the start menu and navigate down through the registry
there is a good example of Sid’s used in users profiles.
A profile in Windows contains all the user settings, everything from their printer settings
to the files on the desktop. By default the profile is in the users directory on the c
drive. The profiles listed here contain the basic details of each profile. Each profile
is in a folder with the name of the folder as the Sid for that user.
The first 3 profiles listed are local profiles. You can tell this because the Sid’s are
very short. If I look inside one of the profiles listed, notice the key Profile Image Path.
This key contains the directory where the profile is stored.
The profile below this with the longer Sid is the domain administrator. The same principal
applies. This folder contains details about the administrators profile including the folder
where the data for the profile is stored. If the username were to change, for example the
user were to change their name, Windows will still know to find the users profile settings
in the old folder. You can see why that when a user changes their name, the folder name
of their profile name does not change. This is one reason that when a user changes
their name I will sometimes create a new user with the different name and transferred over
their settings and documents. This method ensures settings like the profile folder are
set to the new name. If you do decide to take this approach, make sure there is nothing
tied to the old user like certificates. If there is, I would stick to renaming the account.
If you want to change the profile folder as well, you can change it in the registry here
and also rename it in the users folder as long as they both match Windows will keep
using it. If they do not match, Windows will create a new profile when the user logs in.
You should now understand why if a user account is deleted; if you were to create a new user
with the same name they will not have the same access as the last user. When you create
a new user, the new user will have a completely different Sid from the old user and thus will
not have access to any of the data that the old user had access to. This is why it is
common practice in some companies that when a person leaves their account is disabled.
When there replacement is hired, the account is enabled and the account renamed to the
new person. This ensures the new employee will have all the same access the old employee
had. To demonstrate how a Sid is connected to a
user a bit clearer, I will open Windows Explorer and look at the security for a folder I created
on the c drive of this computer. I have disconnected this computer from the network so it does
not have access to a domain controller. Since the computer can’t access a domain
controller, notice that two of the permissions are listed as the Sid rather than the username.
If I now reconnect the computer to the network and press edit, notice that Windows will contact
a domain controller and get the usernames for the two Sid’s and display the username
rather than the Sid’s. This is why you can easily change usernames in Active Directory
without having to worry about the effect it will have on permissions. To understand a bit more about how accounts
and Sid’s work in Windows, let’s have a look at the process that happens when a
user is authenticated by a Domain Controller in a domain. When a user is authenticated by a domain controller
an access token is generated for that user. The access token can then be used to access
other resources on the network. Inside the access token is the users Sid. When this access
token is presented to anther system say a Windows Server, the Sid inside the token can
be used by the server to identify who the token belongs to. The server will then look
at its access lists to see if that Sid has access. However, as we will see in later videos, good
administrators use groups to provide users access and make administration easier. If
this user was a member of the sales group for example, once again as we have learnt,
the sales group has its own Sid. It is a simple matter of adding the sales group Sid to the
users token when it is created. Now when the token is presented to anther
system, the other system checks its access list. In this case, the sales group is in the token and on the
server local access list so the user will be given access.
You may be asking yourself, what would happen if the user was removed from the sales group
after the token had been generated? The answer is the user would still have access because
the security token contains the Sid for the sales group. The same applies if the user
was added to say the Marketing group after the token was created. The user would not
have access to any of the Marketing files because the security token does not contain
the Sid for the marketing group. To fix problems like these, the user simply
needs to log off and log back on. When they log back on a new token will be generated
with the new security information. Before I start looking at how to use user
accounts in Active Directory, first I want to look at the naming standards that you will
see when using accounts in Windows. The old naming standard that dates back to Windows
NT is domain\UserName. This was based on the older NetBios naming standard which did not
support as many characters as DNS does. The newer standard supports the same naming
format that you would use for an e-mail address. For example user@example.com. Windows refers
to this naming format as user principal name. In some cases the domain name may be different
from the user name used to login. For example, a lot of companies may use an internal DNS
name ending in local rather than com. Active directory supports any principal name mapped
to any user. Regardless of which system you use, you will
need to work out a system of naming that minimizes the number of naming conflicts. An example
is first initial dot last name. Some company will even go for longer names like first name
dot last name or a simpler standard like lastname first initial. The longer the login name the less likely
you will have two users with the same login. For example, if Jane and John Doe both worked
for the same company, two of the naming standards here would generate the same login name. In
this case an administrator would need to change one of the logins. A lot of administrators
will simply add a number to the end one of the logins to make them different.
When creating a new user, a pre Windows 2000 logon name will automatically be chosen for
you. This name will be used by older clients. Besides Windows systems like Windows 9x and
NT, this may also include some older non Microsoft operating systems. Unless you have any old
operating system in most cases you won’t need to worry about the pre Windows 2000 logon
name. The reason I bring it up is that it is limited to 20 characters. In your naming
standard, if you need to use the pre Windows 2000 logon names, consider the 20 character
limit when thinking about how your naming standard will work.
This covers the basis of accounts in Windows and Active Directory. In the next video I
will look at how to create a new user account in Active Directory. Thanks for watching.
